Cloud computing is a computing infrastructure for enabling ubiquitous access to shared pools of servers, storage, computer networks, applications and other data resources, which can be rapidly provisioned, often over a network, such as the Internet.
A “data resource” as used herein may include any item of data or code (e.g., a data object) that can be used by one or more computer programs. In example embodiments, data resources are stored in one or more network databases and are capable of being accessed by applications hosted by servers that share common access to the network database. A data resource may for example be a data analysis application, a data transformation application, a report generating application, a machine learning process, a spreadsheet or a database.
Some companies provide cloud computing services for registered customers, for example manufacturing and technology companies, to create, store, manage and execute their own resources via a network. Sometimes, these resources may interact with other resources, for example those provided by the cloud platform provider. Certain data resources may be used to control external systems.
Typical computer systems include a file system to control how data is stored and retrieved. Conventional file systems maintain information regarding user access permissions in conjunction with each stored resource to control users' ability to access the resources. For example, one user may be permitted to view and change a particular resource while another user may only be permitted to view the resource. In some instances, multiple application programs may share common access to resources included in a single file system. For example, a suite of network applications may provide a common interface that provides a user with various related functionalities that allow the user to interact with a common repository of data objects shared by the application suite. In these instances, each application program is typically responsible for evaluating whether a user has permission to access a resource included in the file system based on the user access permission information maintained along with the resource. Not only does this conventional implementation lead to painstaking redundancies in development of such an application, but this also presents the potential for inconsistent handling of user access permissions across each of the applications.
An additional downfall of conventional file systems is in the handling of resources with dependencies to other resources. Because the permission information of each resource is maintained along with the resource itself, in order to determine whether a user may access a resource with dependencies, the evaluator must traverse the entire tree of dependencies of the resource to reach the correct determination. As a result of this read-heavy workflow, computational resources are inefficiently used because of the number of statements that must be executed to determine the actual access permission of the user, which, in turn, leads to a degradation in system performance.
Further, over time, user-initiated change may inadvertently result in certain users, or groups of users, having unintended permissions in relation to one or more resources, or certain users not having permissions in relation resources they were initially permitted to access or update, etc. It is conventionally difficult to identify such changes due to the complexity of the access permissioning system and the sheer amount of data involved. It also generally requires knowledge of how the particular access permissioning system operates, which most users of the data processing platform are unlikely to be familiar with. Inadvertent changes may mean that resources are vulnerable from a security point of view, but how to determine this without using significant expertise and processing resources is challenging.